Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-11965

npm install fails with 500 error when user has Group level privileges

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.0, 3.2.1
    • Fix Version/s: 3.3.0
    • Component/s: NPM, Security
    • Labels:
    • Story Points:
      0.5
    • Sprint:
      Sprint 89

      Description

      If a user has read privileges to a npm group, but not the underlying npm proxy, then the "npm install <package>" will get a 500 response for any package that is not locally cached in the npm proxy.

      Steps to reproduce:
      1) Setup a npm group npm-all that has npm proxy npmjs as a member
      2) Setup a user that has access to group repo npm-all (privilege nx-repository-view-npm-npm-all).
      3) Try to install a npm package that is not locally cached in proxy npmjs

      The npm install command will fail with something like the following:

      npm http fetch GET http://localhost:8081/repository/npm-all/glob/-/glob-7.1.1.tgz
npm http fetch 500 http://localhost:8081/repository/npm-all/glob/-/glob-7.1.1.tgz
npm info retry will retry, error on last attempt: Error: server error 500

      Nexus logs will show the following:

      2016-12-21 11:21:38,899+0000 WARN  [qtp1898010376-415] test org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Service failure
java.lang.RuntimeException: java.io.IOException: org.apache.shiro.authz.AuthorizationException
	at com.google.common.base.Throwables.propagate(Throwables.java:160) [na:na]
	at com.sonatype.nexus.repository.npm.internal.NpmProxyFacetImpl.getUrl(NpmProxyFacetImpl.java:142) [na:na]
	at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.fetch(ProxyFacetSupport.java:210) [na:na]
	at com.sonatype.nexus.repository.npm.internal.NpmProxyFacetImpl.fetch(NpmProxyFacetImpl.java:62) [na:na]
	at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.get(ProxyFacetSupport.java:166) [na:na]
	at org.sonatype.nexus.repository.proxy.ProxyHandler.handle(ProxyHandler.java:49) [na:na]
	at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80) [na:na]
	at org.sonatype.nexus.repository.storage.UnitOfWorkHandler.handle(UnitOfWorkHandler.java:39) [na:na]
	at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80) [na:na]
	at org.sonatype.nexus.repository.view.Context$proceed.call(Unknown Source) [na:na]
	at com.sonatype.nexus.repository.npm.internal.NpmProxyRecipe$_closure1.doCall(NpmProxyRecipe.groovy:160) [na:na]
...
...
Caused by: java.io.IOException: org.apache.shiro.authz.AuthorizationException
	at com.sonatype.nexus.repository.npm.internal.NpmProxyFacetImpl.retrievePackageRoot(NpmProxyFacetImpl.java:347) [na:na]
	at com.sonatype.nexus.repository.npm.internal.NpmProxyFacetImpl.retrievePackageVersion(NpmProxyFacetImpl.java:299) [na:na]
	at com.sonatype.nexus.repository.npm.internal.NpmProxyFacetImpl.getUrl(NpmProxyFacetImpl.java:138) [na:na]
	... 131 common frames omitted
Caused by: org.apache.shiro.authz.AuthorizationException: null
	at org.sonatype.nexus.repository.security.SecurityFacetSupport.ensurePermitted(SecurityFacetSupport.java:72) [na:na]
	at org.sonatype.nexus.repository.security.SecurityHandler.handle(SecurityHandler.java:48) [na:na]
	at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80) [na:na]
	at org.sonatype.nexus.repository.view.handlers.TimingHandler.handle(TimingHandler.java:46) [na:na]
	at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80) [na:na]
	at org.sonatype.nexus.repository.view.Context.start(Context.java:114) [na:na]
	at org.sonatype.nexus.repository.view.Router.dispatch(Router.java:60) [na:na]
	at org.sonatype.nexus.repository.view.ConfigurableViewFacet.dispatch(ConfigurableViewFacet.java:52) [na:na]
	at org.sonatype.nexus.repository.view.ConfigurableViewFacet.dispatch(ConfigurableViewFacet.java:43) [na:na]
	at com.sonatype.nexus.repository.npm.internal.NpmProxyFacetImpl.retrievePackageRoot(NpmProxyFacetImpl.java:336) [na:na]
	... 133 common frames omitted

      Workaround If you give that user a read privilege to the proxy npmjs (nx-repository-view-npm-npmjs-read) then the user should be able to install the package that is not already cached.

      Group level permissions should be transitive, therefore use has the same privileges for all member repositories.

        Attachments

          Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. NEXUS-12073 Pulling from Docker group generates error unless read access assigned directly to member

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. NEXUS-16077 pip search on group requires read privilege on member repositories

          • Medium - Medium
          • Closed
          testing discovered

          Bug - A problem which impairs or prevents the functions of the product. NEXUS-12452 bower install fails when user has only group level privileges

          • Major - Major loss of function.
          • Closed

            Activity

              People

              Assignee:
              bradbeck Brad Beck
              Reporter:
              msurani Mahendra Surani
              Last Updated By:
              Peter Lynch
              Votes:
              2 Vote for this issue
              Watchers:
              9 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title